Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Sparrowvsrevolution writes "Slashdot readers are no doubt familiar by now with the case of Onity, the company whose locks are found on 4 million hotel room doors worldwide and, as came to light over the summer, can be opened in seconds with a $50 Arduino device. Since that hacking technique was unveiled by Mozilla developer Cody Brocious at Black Hat, Onity first downplayed its security flaws and then tried to force its hotel customers to pay the cost of the necessary circuit board replacements to fix the bug. But now, after at least one series of burglaries exploiting the bug hit a series of hotel rooms in Texas, Onity has finally agreed to shoulder the cost of replacing the hardware itself — at least for its locks in major chain hotels in the U.S. installed after 2005. Score one point for full disclosure."

A bunch of people got their stuff stolen, a bunch of smaller hotels are out money, and Onity takes a huge hit? Seems like everyone would have been better off if everyone kept quiet and Onity just started shipping new units with the fix.

Just because Onity got targetted doesn't mean they are suddenly less secure than all the others.

Right... for example, they could have been less secure than all the others from the start.

Your argument, quoted above, is not false, but it is useful only in pointing out that we cannot assume the alternatives are secure. To anyone for whom the security of hotel locks matter, Onity has been shown to have been incompetent in its design, and it is the degree of its incompetence that matters. The vulnerability exploited here was not a subtle mistake.

Just because Onity got targetted doesn't mean they are suddenly less secure than all the others.

Right... for example, they could have been less secure than all the others from the start.

Your argument, quoted above, is not false, but it is useful only in pointing out that we cannot assume the alternatives are secure. To anyone for whom the security of hotel locks matter, Onity has been shown to have been incompetent in its design, and it is the degree of its incompetence that matters. The vulnerability exploited here was not a subtle mistake.

We also now know that under no circumstance, will Onity quickly and effectively deal with situations where their locks have been compromised.

How do you know NOBODY knew about it? These hacks could have been going on for years in small scale in hotels but no one would blame a firmware or circuit board design if they did not know there was a flaw. Some cop in some city could have caught someone and confiscated the device and had no idea what it was or how it worked, booked the guy, he did his few days in jail and moved on. Its not like a majot hotel chain is going to publish the fact that they were robbed or hacked.

That assumes that nobody else would have figured out the same thing and used it. For that matter, who says nobody else did figure it out and use it. Are there no unsolved cases of things going missing from hotel rooms since these locks first started getting used until now?

I give it a month before the new firmware is discovered vulnerable to a very similar attack, or a way to bypass the plug is found.

That said, if I were Marriot, of course I'd have negotiated just this kind of deal. It would be quite simple, and any number of electronic lock-makers would fall over themselves to install reduced costs locks (or even compatible boards) and just live off the future support for them.

What bothers me is not the replacement policy (which looks like you need to argue lots to get something quite reasonable, like a free firmware fix), or the security (we all know that lots of modern products have security flaws and to be honest, this one requires quite some skills / balls to exploit), but the denials and brushing-under-the-carpet.

Your locks have one purpose. To stay shut against an intruder. That's all. Sure, we don't expect the room to be impenetrable or them to be crowbar-proof, but we do expect you to not be able to walk up to them with just a device and start changing their settings without that device being authenticated, revokable and protocol-protected. And certainly not to the point that you can work out what to do to make it accept any card from just a lock alone without some serious reverse-engineering.

Damn right, you'd replace my locks. Or your insurance would have one huge hefty claim on it by now from chains like Marriott. Hell, I'd even let you off if I could fit them myself on my own schedule so as to not disturb guests or interfere with business operations, and even let you charge me for delivery.

But what I wouldn't accept would be it taking MONTHS to get to the position that a fix was available after a successful public demonstration. You should have been calling me up and shipping the updated boards/firmware the next day, at least, and worrying about the cost later.

If there's a repeat of this incident with the new board, I would need to KNOW that you were going to do something timely about it BEFORE burglaries start hitting my hotel insurance, which may not even pay out if the locks are that bad.

Your locks have one purpose. To stay shut against an intruder. That's all. Sure, we don't expect the room to be impenetrable or them to be crowbar-proof, but we do expect you to not be able to walk up to them with just a device and start changing their settings without that device being authenticated, revokable and protocol-protected. And certainly not to the point that you can work out what to do to make it accept any card from just a lock alone without some serious reverse-engineering.

Well, it's not as if you can just stick in an unbent paper clip or the barrel of a stick pen. And it's not as if you can connect a quickly hacked together "pick" out of an old wall wart and a 9 Volt battery. You have to stick in a specifically crafted piece of sophisticated electronics, The manufacturer thought that would be enough of a barrier.

But what I wouldn't accept would be it taking MONTHS to get to the position that a fix was available after a successful public demonstration. You should have been calling me up and shipping the updated boards/firmware the next day, at least, and worrying about the cost later.

You want to go from zero to having authenticated, revokable and protocol-protected lock programmers in a day? Dream on, chum, dream on.

Well, it's not as if you can just stick in an unbent paper clip or the barrel of a stick pen. And it's not as if you can connect a quickly hacked together "pick" out of an old wall wart and a 9 Volt battery. You have to stick in a specifically crafted piece of sophisticated electronics, The manufacturer thought that would be enough of a barrier.

Actually, I think the manufacturer thought that it would be more like something you'd see on TV in CSI where only the super-duper elite criminals would be able to pick the locks, not "some dude who watched a video on YouTube or found a web page on how to do it". It's kind of like car alarms. Car alarms don't exist to stop the elite thieves because they won't. They exist to stop Joe Crackhead from trying to steal your car. What happened basically is somewhat equivalent to finding a way to turn off the car alarm so Joe Crackhead is now a serious threat to steal your car with impunity.

"You want to go from zero to having authenticated, revokable and protocol-protected lock programmers in a day? Dream on, chum, dream on."

When you're paying probably $100+ per lock (the internal circuit boards are $11 replacement-cost if you don't send them back, for a start) * 50 locks per floor * 5 floors per hotel * 3700 franchisee hotels? Plus any number of other clients?

No. I expect it to already be in place, especially if it means that you have to produce several thousand such devices for your field

You have to stick in a specifically crafted piece of sophisticated electronics, The manufacturer thought that would be enough of a barrier.

Clearly it wasn't because criminals started to exploit it very quickly. And the "specifically crafted piece of sophisticated electronics" is actually a low cost dev board designed specifically to be easy to use by non-technical people like artists. No programming and only very basic soldering skills required.

You want to go from zero to having authenticated, revokable and protocol-protected lock programmers in a day? Dream on, chum, dream on.

I don't think the GP was implying that they should implement all those fixes, merely the one that they have used - to remove the debug header from the PCB.

"Score one point for full disclosure". I don't think so. "Score one for bad publicity" yes. With the previous customer looking somewhere else to provide new lock as Onity wheren't caring about them and their promise of high security electronic locks...

What about the people who were robbed, and the hotels they were staying in? If they had not known about this vulnerability it would have made investigation and getting compensated very difficult. The cops are hardly going to do a teardown of the lock to see if it is hackable.

Onity probably wouldn't have told anyone about the problem anyway. Often vendors just ignore the problem or quietly fix it and then release a new "even more secure" version of the product and charge you for it.

"Onity’s proposal for franchisees is conditioned on the franchisee’s acknowledgement that Onity does not guarantee a lock’s invulnerability to hacking."

While this is a reasonable statement on its own, the real issue here is competence. Onity's design was in such blatant and avoidable violation of basic security principles (e.g. a small keyspace and a lack of real cryptography) that it might be be called negligent.

Physical lock makers will tell you that their cheap locks are pickable. But they'll sell you "security" locks that cost much, much more, and are much more resistant to lockpicks. Several manufacturers have offered bounties for anyone that can pick their locks.

Did Onity offer customers the choice of good and better locks and the customers cheaped out, or was this the best they had?

Physical lock makers will tell you that their cheap locks are pickable. But they'll sell you "security" locks that cost much, much more, and are much more resistant to lockpicks.

Are you suggesting that every physical lock maker also offers the advanced tumblers? Are you also suggesting that offering such tumblers is a prerequisite to not getting sued into oblivion on your cheap tumblers? Finally, are you suggesting that this electronic lock company claimed that its locks were unpickable?

Meanwhile, most of the non-electronic locks manufactured in the world can be "hacked" by a pair of paper clips.

Onity's locks should be judged not only by their physical counterparts, but also by what can reasonably be achieved electronically. This problem was entirely avoidable, at little or no extra original expense (and much less overall) if Onity had just employed one or two competent, security-aware developer/designers. I don't expect perfection, and is reasonable competence too much to ask?

I'm calling bullshit here. Looks to me like their locks were fit for purpose, where its purpose is to keep honest people honest.

The larger issue that concerns me here is that this cavalier attitude to electronic security seems to be unjustifiably comm

The reasonable statement would be that while Onity cannot guarantee the lock won't be hacked, it will offer a free replacement if such a hack were to be found. This puts the incentive in the right place. Onity could even have a third party insurer cover the risk if they don't want this exposure on their balance sheet.

If by that you mean disassembling the face of the lock, plugging the widget in shoving the magic electrons in.

You know what else works "in seconds"? A $10 crowbar, 100% of the time.

It's a ridiculous nerd-rage non-issue, given that to work the hack you'd have to be on site for an extended period, cool as a cucumber, looking and acting like a member of staff. You might as well be staff, and that's where the real vulnerability is, and always will be.

If by that you mean disassembling the face of the lock, plugging the widget in shoving the magic electrons in.

You know what else works "in seconds"? A $10 crowbar, 100% of the time.

It's a ridiculous nerd-rage non-issue, given that to work the hack you'd have to be on site for an extended period, cool as a cucumber, looking and acting like a member of staff. You might as well be staff, and that's where the real vulnerability is, and always will be.

In seconds means in seconds. Know the facts before you call someones legitimate concerns rediculous.

Hotels have engineering or maintenance staff who carry tools around all the time (the "engineering" term is used at the more expensive hotels). You just need to dress like a working class guy in a uniform--your name on a badge helps--and no one will question why you're wandering around with a crowbar. At a nice place it's a cheaper look to pull off than the suit you'd need to look like a concierge.

I was just in a hotel last week and had put my laptop in the room safe. I entered my 6 digit code and locked the safe. Two days later, I tried to open it and it wouldn't take my pin. I called the hotel staff and a maintenance guy came to my room with a small 10-key pad that had an LCD display. He plugged an RJ45 cable into a port on the bottom of the locking device, entered 2468#, then 1357#, and the safe opened. After it was open, it flashed LO-BAT, so that explains why it lost my combination.

When we checked into the Bellagio in Vegas a long time ago, we found our room safe already locked. We called down to the desk, and they sent up three guys: a technician, a security dude to stand behind the technician, and a security guy at the door.

The technician had to plug something in and manipulate the lock. When it opened, the security guy behind him looking over his shoulder confirmed it was empty, said so out loud, and the guy at the door radioed the information down to someone.

It is entity possible that actual authentication happened before he even came to your room.

They obviously know the serial number of the safe in your room. It may have required physical keys, codes, and biometrics from multiple high-ranking employees to download a single use time-limited code onto that key-pad.

One, the vulnerability is such that after the fact there is no indication that the lock was ever hacked. If somebody has used this hack on a lock, there is no way for the owner or anyone else to tell that somebody has bypassed it (as there would be with a physically broken lock, for instance).

Two the hack did not require access to abnormally sophisticated skills or tools (arduino's can be purchased, retail, by anybody, and used by anybody, even if they do not know how to how to program, any more than i

When the news about the hack got out, the company came out with "two levels of fixes".

The first level is basically making the DC charging port more difficult access. Replace plastic
with metal etc. It was willing to ship that thing for free.

Then, it had the second second level fix, flashing new firmware. It wanted some 40$ per lock for the locks that were capable of accepting the patch! This is basically daylight robbery. There is simply no justification for charging that much for a security upgrade in software! If the locks were not capable of being upgraded, then the entire board has to be changed, costing even more money.

I think Onnity does not seem to get one striking fact. 90% of the motels and economy hotels are owned by Indian immigrants. It is very much possible they have a cousin back home who might hack out a patch.